Closed AWSElectionsQuebec closed 6 months ago
Fixed in 1.5.9
@AWSElectionsQuebec Where did you see this in the doc?
According to the documentation this is invalid but should not fail the stack “You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.” Ref : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html
We are having the exact same error with out stack but the template we use has not changed at all. The stack was created correctly before and now it's throwing this error. Did something changed recently in AWS? as in around February?
For context we are using an EB configuration:
aws:autoscaling:launchconfiguration:
SecurityGroups: default
SSHSourceRestriction: tcp, 22, 22, Some Security Group Name
This application is deployed in the default VPC so we should be able to specify the SG name.
For security groups in a nondefault VPC, you must specify the group ID.
Only for deployment in non-default VPC you need the id.
This is transformed in the following CloudFormation rule:
"Resources": {
"AWSEBSecurityGroupSSHIngress": {
"Properties": {
"GroupName": { "Ref": "AWSEBSecurityGroup" },
"FromPort": "22",
"ToPort": "22",
"SourceSecurityGroupName": "Some Security Group Name",
"IpProtocol": "tcp"
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
and fails on creation of the stack with this same error for the logical ID "AWSEBSecurityGroupSSHIngress":
Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: xxxx, HandlerErrorCode: InvalidRequest)
Hi @Maxwell2022 ,
The documentation was updated on march 6 to remove the sentence "Otherwise, the stack launches successfully, but the rule is not added to the security group." Something have changed in february. we opened a support case on march 1st and the answer was:
After conducting testing and verifying with the Internal Team, the resource and property reference has been update to include one of the following 4 properties must be included for the resource. "AWS::EC2::SecurityGroupIngress" [1].
List of included properties [1]:
CidrIp CidrIpv6 SourceSecurityGroupId SourcePrefixListId
Required Basic Info
Describe the bug We have the following resource defined in a CloudFormation template "SecurityGroupsSharedAccount2DataIngress06F21500D4": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "Description": "Central VPC Traffic Inbound from Mgmt-a", "GroupId": { "Ref": "SecurityGroupsSharedAccount2DataFBF92784" }, "IpProtocol": "-1" }
According to the documentation this is invalid but should not fail the stack “You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.” Ref : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html
This is the behavior we were seeing previously (stack created without error, but no rule created). However, the same stack is now failing with this error:
CREATE_FAILED | AWS::EC2::SecurityGroupIngress | DevLepPhase2/SecurityGroupsDev-Shared-2/SecurityGroups-SharedAccount-2/Data-Ingress-0-6 (SecurityGroupsSharedAccount2DataIngress06F21500D4) Resource handler returned message: "Exactly one of CidrIp, CidrIpv6, SourceSecurityGroupId, and SourcePrefixListId must be specified and not empty" (RequestToken: 3a1db87f-fd7b-3e8c-d94b-b21ac0f721c4, HandlerErrorCode: InvalidRequest)
Has there been, recently, a change on how this behavior is enforced?
Failure Info
Required files
Logical ID: ASEA-DevLep-Phase2-SecurityGroupsDevShared2NestedStackSecurityGroupsDevShared2NestedSt-LS5N0XOSDYFQ Status: CREATE_FAILED Status reason: The following resource(s) failed to create: [SecurityGroupsSharedAccount2DataIngress00F34A5A39, SecurityGroupsSharedAccount2MgmtIngress17F90AFBBB, SecurityGroupsSharedAccount2MgmtIngress104125E808, SecurityGroupsSharedAccount2MgmtIngress1607DED6CB, SecurityGroupsSharedAccount2DataIngress08C8EE6D79, SecurityGroupsSharedAccount2AppIngress0754743510, SecurityGroupsSharedAccount2MgmtIngress18EB52F9D3, SecurityGroupsSharedAccount2MgmtIngress116A62309F, SecurityGroupsSharedAccount2DataIngress035FE8591D, SecurityGroupsSharedAccount2WebIngress18E4A8B7E8, SecurityGroupsSharedAccount2WebIngress1433FBE6B0, SecurityGroupsSharedAccount2WebIngress106987B201, SecurityGroupsSharedAccount2MgmtIngress14BAEC15F4, SecurityGroupsSharedAccount2AppIngress045921009A, SecurityGroupsSharedAccount2WebIngress12A2A3B54A, SecurityGroupsSharedAccount2DataIngress01024327791, SecurityGroupsSharedAccount2AppIngress0065BFDE57, SecurityGroupsSharedAccount2WebIngress159C919868, SecurityGroupsSharedAccount2MgmtIngress110E49CA30A, SecurityGroupsSharedAccount2WebIngress134FABAB12, SecurityGroupsSharedAccount2DataIngress012BF1D750, SecurityGroupsSharedAccount2AppIngress067A5A882C, SecurityGroupsSharedAccount2DataIngress07E62427CE, SecurityGroupsSharedAccount2MgmtIngress156D3A7EBB, SecurityGroupsSharedAccount2AppIngress010DFBB0CA, SecurityGroupsSharedAccount2DataIngress011436E8E61, SecurityGroupsSharedAccount2MgmtIngress13496978A1, SecurityGroupsSharedAccount2MgmtIngress192BD4CBB2, SecurityGroupsSharedAccount2AppIngress011B9608648, SecurityGroupsSharedAccount2WebIngress193765D73D, SecurityGroupsSharedAccount2AppIngress02016F0A9D, SecurityGroupsSharedAccount2DataIngress02A22AC80F, SecurityGroupsSharedAccount2AppIngress083DAF3BDC, SecurityGroupsSharedAccount2AppIngress01041C73D1B, SecurityGroupsSharedAccount2WebIngress1181054897, SecurityGroupsSharedAccount2DataIngress04582F4820, SecurityGroupsSharedAccount2WebIngress1107F5D0624, SecurityGroupsSharedAccount2DataIngress052F32FB9E, SecurityGroupsSharedAccount2MgmtIngress111BE6B15F7, SecurityGroupsSharedAccount2WebIngress173D0B7DDD, SecurityGroupsSharedAccount2DataIngress097A448418, SecurityGroupsSharedAccount2AppIngress053A39F8DF, SecurityGroupsSharedAccount2WebIngress111AA65C79B, SecurityGroupsSharedAccount2WebIngress1667A14582, SecurityGroupsSharedAccount2MgmtIngress120B402375, SecurityGroupsSharedAccount2AppIngress038FF5B73E, SecurityGroupsSharedAccount2AppIngress09326BB9CE, SecurityGroupsSharedAccount2DataIngress06F21500D4].
Additional context We were trying to add to accounts in our Config.json file. One in the Dev OU (The error is concerning that account) One in the Central OU (Phase 2 for that account went without a hitch)